Email users who use PGP (based on OpenPGP) and S/MIME to encrypt and decrypt their communications are at “immediate risk.” The reason is that a team of European researchers has found critical flaws in the encryption standards and currently there are no fixes available.
The vulnerabilities dubbed EFAIL are harmful as they can reveal the contents of messages in plain text, even for the messages from the past.
If an attacker gains access to a victim’s encrypted emails through methods like eavesdropping or compromising email accounts, EFAIL can be used to “abuse active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through URLs,” reads the website detailing the vulnerabilities.
A modified encrypted email sent by the attacker to the victim is decrypted by their email client. While doing so, the client loads any external content, thus, exfiltrating the plaintext to the attacker.
The PGP encryption is mostly used by political activists, journalists, and whistleblowers as an extra layer of encryption. On the other hand, S/MIME is used mainly in enterprise infrastructure.
Why this should be taken seriously is because the Electronic Frontier Foundation (EFF) is also spreading the word. The Foundation which has been in communication with the researchers has advised users to “temporarily stop sending and especially reading PGP-encrypted email”.
Users should immediately disable or remove any tools that automatically decrypt PGP-encrypted emails until the flaws are understood and fixed, EFF said. They have published guides for Thunderbird, Apple Mail, and Outlook.
Submitted by: Arnfried Walbrecht